Security news that informs and inspires

New Tool Detects Indicators of Compromise for Citrix Systems


In the absence of patches for some versions of Citrix Application Delivery Controller affected by the recently disclosed directory-traversal vulnerability, the company has worked with Fire Eye Mandiant to develop a tool that enterprise security teams can use to determine whether their systems have been compromised.

The new tool scans affected systems to look for known indicators of compromise that have emerged from exploitation attempts seen in the wild. The scanner works on several versions of the Citrix ADC and Gateway, including 11.1, 12.0, 12.1, 10.5, and 13.0. Citrix is releasing permanent patches for the vulnerability over the course of this week, and already has pushed out fixes for versions 11.1 and 12.0. Patches for the other affected versions are scheduled for release on Jan. 24.

“While our security and engineering teams have been working around the clock to develop, test and deliver permanent fixes to CVE-2019-19781, we have been actively thinking of ways to assist our customers in understanding if and how their systems may have been affected,” said Fermin J. Serna, Citrix’s chief information security officer.

The vulnerability (CVE-2019-19781) was first disclosed in December and Citrix warned customers that it could lead to arbitrary code execution by a remote, unauthenticated attacker. The company said at the time that it did not have fixes available and that it would be several weeks before patches would be ready. In the interim, researchers developed proof-of-concept exploit code and made it available publicly while attackers began writing their own exploits.

Last week, researchers began seeing large-scale scanning activity from attackers searching for vulnerable systems, and there were plenty to find. BadPackets discovered more than 25,000 vulnerable systems online last week. Citrix’s internal security team is also scanning the Internet for at-risk endpoints that don’t have the available mitigations or patches installed and working with customers to remedy the situation.

Some of the exploitation activity against vulnerable Citrix ADC appliances has been unusual. Last week, FireEye researchers noticed one threat actor compromising target systems and then installing a tool to prevent other attackers from exploiting the same system in an apparent attempt to hoard compromised systems.

“Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,” William Ballenthin and Josh Madeley of FireEye said.

“Of note, the actor removes malware known to target NetScaler devices via the CVE-2019-19781 vulnerability. Cryptocurrency miners are generally easy to identify—just look for the process utilizing nearly 100% of the CPU. By uninstalling these unwanted utilities, the actor may hope that administrators overlook an obvious compromise of their NetScaler devices.”

In addition to the Citrix-FireEye scanner, the Department of Homeland Security also has published a tool that enterprises can use to test their installation for the Citrix CVE-2019-19781 vulnerability.